M. Sprengers, J. van Haaster, in
Cyber Guerilla, 2016 Heuristic-based malware detection focuses on detecting intrusions by monitoring the activity of systems and classifying it as normal or
anomalous. The classification is often based on machine learning algorithms that use heuristics or rules to detect misuse, rather than patterns or signatures. One of its shortcomings is that it tends to have a high false positive rate, such that many legitimate actions are classified as intrusive, and that it requires useful training data, which is typically difficult to obtain in large IT environments. Contemporary host-based malware detection products
focus on in-memory patterns. Apart from heuristics, they apply techniques such as block-hashing, that computes hashes of parts of the suspicious file instead of the whole file, or are able to detect polymorphic encrypted payloads in memory. However, these malware detection products are usually designed to search for exploitation and malware behavior, for example, code patterns that exploit a vulnerability in some
software product. Although (this partly) mitigates the risk of automatic/noninteractive malware infections, such as a drive-by download of watering hole attack (which are typically triggered by exploitation of either a zero-day or well-known vulnerability), these products are less effective against malware that was launched with human interaction, for example, by tricking a targeted user to start the malware code himself during a (spear)phishing attempt. If the guerilla band detects that this
type of host-based malware detection is used, it is recommended to stay away from general (automated) exploitation techniques. By actively interfering with the infected systems instead of using automatic viruses, the hacker group may cause the malware to mimic human behavior. For example, it is recommended to use impersonation attacks (eg, stealing a password) and to use regular legitimate tools and programs to perform postexploitation and lateral movement, as these are typically allowed by the
antimalware solutions. For example, in a Windows environment generally available (networking) tools such as the command prompt, PowerShell, Remote Desktop, PsExec, and Windows Management Instrumentation (WMI) can be used to perform internal reconnaissance, lateral movement, and postexploitation without raising suspicion.Organization of #operations
Evading heuristic-based malware detection
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128051979000036
Real-time Network Intrusion Detection Using Hadoop-Based Bayesian Classifier
Sanjai Veetil, Qigang Gao, in Emerging Trends in ICT Security, 2014
Host Intrusion Detection System
As mentioned above, HIDSes focus on monitoring and detecting intrusions at a single host. Network administrators have to carefully analyze the pros and cons of installing a commercial IDS on a target host, since it is costly in terms of licensing fee and maintenance. Typically, in large corporations, a single high-end machine, designated as a powerful Web server that caters to millions of requests/transactions per day, is an ideal candidate for installing an HIDS. It is highly likely that this Web server becomes the target for hackers. The HIDS is configured to monitor the target machine’s Network Interface Card (NIC), which connects it to the rest of the network. The traffic data (and optionally, the log files) generated by the target machine are monitored by the HIDS.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780124114746000189
A Survey of Intrusion Detection Systems Using Evolutionary Computation
Sevil Sen, in Bio-Inspired Computation in Telecommunications, 2015
4.2 Intrusion detection systems
An IDS is an indispensable part of network security. It is introduced as a system for detecting intrusions that attempt to compromise the main security goals, confidentiality, integrity, and availability of a resource. The development of an IDS is motivated by the following factors:
•Most existing systems have security flaws that render them susceptible to intrusions. Finding and fixing all these deficiencies is not feasible (Denning, 1987), and in particular, complex systems are prone to errors that could be exploited by malicious users.
•Prevention techniques are not sufficient. It is almost impossible to have an absolutely secure system (Denning, 1987). An IDS comes into the picture when an intrusion has occurred and cannot be prevented by existing security systems.
•Because insider threats are generally carried out by authorized users, even the most secure systems are susceptible to insiders. Furthermore, many organizations express that threats from inside can be much more harmful than outsider attacks (CERT, 2011).
•New intrusions continually emerge. Therefore, security solutions need to be improved or introduced to defend our systems against novel attacks. This is what makes intrusion detection such an active research area.
An IDS detects possible violations of a security policy by monitoring system activities and responding to these violations according to the policy. An IDS can be called host-based IDS (HIDS) or network-based IDS (NIDS), according to the system that it monitors. If an attack is detected when it enters the network, a response can be initiated to prevent or minimize damage to the system. Moreover, the prevention techniques can be improved with the feedback acquired from IDSs. Security solutions do not operate on their own, as they once did. Nowadays, prevention, detection, and response mechanisms generally communicate with each other in order to protect the system from complex attacks.
There are generally two metrics employed in order to evaluate IDSs: detection rate and false positive rate. Detection rate represents the ratio of malicious activities detected to all malicious activities. A missed intrusion could result in severe damage to the system. False positives indicate normal activities that are falsely detected as malicious by the IDS. A low false positive rate is just as important as a high detection rate. When an intrusion is detected, it usually raises an alarm to the system administrator. High false positives result in excessive burden to the administrator and, as a result, might not be analyzed by security experts in real time. Another metric, called intrusion capability metric (CID), was introduced in 2006 in order to evaluate IDSs (Gu et al., 2006). The authors define CID as the ratio of the mutual information between IDS input and output to the entropy of the input. It naturally includes both the detection rate and the false positive rate. Even though many approaches still use the conventional intrusion detection metrics (i.e., detection and false positive rates), CID has important characteristics to compare IDSs, and it is expected to be more commonplace in the near future.
4.2.1 IDS Components
The three main components of an IDS—data collection, detection, and response—are depicted in Figure 4.1. The data collection component is responsible for the collection and preprocessing of data tasks, such as transforming data to a common format, data storage, and sending data to the detection module (Lundin and Jonsson, 2002). Various data from different sources, such as system logs, network packets, and management information base data, can be collected and formatted to send to the intrusion detection module.
Figure 4.1. IDS components.
The detection module analyzes and processes the formatted data obtained from the data collection model in order to detect intrusion attempts, and forwards the events flagged as malicious to the response module. There are three intrusion detection techniques: anomaly-based, misuse-based, and specification-based. The anomaly-based intrusion detection technique defines the normal behaviors of the system, such as usage frequency of commands or system calls, resource usage for programs, and so on. The activities falling out of the normal behaviors of the system are labeled as intrusions. Various techniques have been applied for anomaly detection, such as classification-based (e.g., neural networks, naive Bayes, support vector machines (SVM)), clustering-based techniques. Because the normal behavior can change over time, one of the biggest challenges in this approach is to define the normal behavior of a system. It is particularly challenging in highly dynamic networks, such as mobile ad hoc networks (MANETs) and vehicular ad hoc networks (VANETs). Another disadvantage of this technique is the high number of false positives. How to update the system profile automatically is another challenge. Concept drift, the problem of distinguishing malicious behaviors from the natural change in user/system behaviors, is an issue in anomaly-based detection systems. The conventional approaches mainly overcome this issue through the updating of user/system profiles, which is particularly crucial for the ongoing detection of attackers. The updating system generally uses unlabeled data in retraining, due to the large amount of data. Therefore, the updating system has to trust the decisions that the anomaly-based detection system makes. For instance, if the detector misses an intrusive behavior, it will be added to the training data as benign datum. The ability to adapt to the concept drift depends on the accuracy of the detector. The authors showed that misclassified instances included in updating could considerably decrease the performance of anomaly-based detection approaches (Sen, 2014).
A misuse-based (or signature-based) IDS is based on defined signatures in order to detect known attacks. It is the most commercially employed approach due to its efficiency. Although it has a low false positive rate, the biggest disadvantage of this approach is that it cannot detect novel attacks and unknown variants of existing attacks. Many proposed approaches have low resilience against even the simplest obfuscation techniques. Another issue is to frequently update an attack signatures database. Because large numbers of attacks are introduced every day, the function of automatically generating new signatures is an essential characteristic of an IDS. Nowadays, both misuse-based and anomaly-based intrusion detection techniques are employed together. While the misuse-based systems are efficient in detecting known attacks, anomaly-based detection systems are employed to detect attacks missed from these systems.
The last intrusion detection technique is a specification-based method, in which attacks are detected as violations of well-defined specifications of a program/protocol. Since its introduction in 2001 (Uppuluri and Sekar, 2001), this technique has mainly been used for ad hoc networks. It detects both known and unknown attacks with a low false positive rate (Uppuluri and Sekar, 2001). Because the routing protocols proposed for ad hoc networks are vulnerable to attacks, due to their dynamic and collaborative nature, the specification-based intrusion detection is quite suitable for such networks. It is the most employed technique in ad hoc networks and is proposed as a way for different types of ad hoc routing protocols to be kept up-to-date. However, this technique cannot detect denial of service (DoS) attacks, because these types of attacks follow the system specifications. Generally, it cannot detect legitimate activities, even if they are unusual (Uppuluri and Sekar, 2001). Another disadvantage of this technique is the requirement to define specifications for each protocol used in the system. Therefore, it does not attract much interest in wired networks due to this time-consuming task requirement.
When an event is classified as malicious, it is sent to the response module. The module behaves according to the response policy defined. Intrusion detection responses are divided into two groups (Axelsson, 2000): active and passive responses. There are still many systems that give only passive responses: notifying the proper authority. On the other hand, an active response attempts to mitigate or prevent the damage of an intrusion by controlling either the attacked system or the attacking system (Axelsson, 2000). Blocking the IP address attacking the system, or terminating network connections for a while, are examples of commonly used active responses. These types of system are typically called Intrusion Prevention Systems.
4.2.2 Research Areas and Challenges in Intrusion Detection
Intrusion detection has been an appealing research area since Denning first introduced a formal model for the problem (Denning, 1987). Intrusion detection is a challenging research area due to its very nature, and a great deal of research has emerged in this domain. Lundin et al. (Lundin and Jonsson, 2002) classify major research areas on intrusion detection as follows: foundations, data collection, detection methods, response, IDS environment and architecture, IDS security, testing and evaluation, operational aspects, and social aspects.
Foundations cover the research carried out on intrusions, intruders, and vulnerability. The main challenge here is to update IDSs against emerging new attacks every day. A good IDS must perform continuous adaptation to new attacks, changes in the system, and the like. Data collection deals with selecting data sources and features, how to collect data, logging, and formatting data. One of the main problems of IDSs is analyzing and processing highly imbalanced and large amounts of network data efficiently. Researchers mainly work on selecting appropriate features for intrusion detection and reducing redundant features. The majority of research has been carried out on detection methods. The main challenges of each detection technique are given in detail in the previous section. The difficulty of distinguishing normal data from abnormal data and developing systems that are robust against unknown attacks are among the most important challenges. Studies on response aim to answer the following questions: how to respond to detected intrusions (i.e., passively or actively, temporarily or permanently), and how to represent detected intrusions to the proper authority.
How to distribute IDS agents and facilitate interoperability between IDS agents are subresearch areas in IDS environment and architecture. It is a particularly active research area in networks with a lack of central points where we could monitor and analyze all network data. Three main intrusion detection architectures are proposed for such networks: stand-alone, distributed and collaborative, and hierarchical. There are few studies that define information exchanges between IDS agents. Mobile agents, which carry both data and software from one system to another system autonomously and continue their execution on the destination system, are another method of communication with many advantages, such as reducing the network load, and adapting dynamically (Lange and Oshima, 1999). IDS security is related to protecting IDS communication and the IDS itself from attacks. This “secure security” concept is especially important in critical domains such as health care and tactical systems. The studies on this immature research area have accelerated in recent years, and a survey on adversarial attacks against IDSs was recently proposed (Corona et al., 2013). Testing and evaluation takes into account how to evaluate IDSs. There are many comparisons available in the literature. The Knowledge Discovery in Databases (KDD) data set (Lippman et al., 2000) is considered benchmark data in these studies. Operational aspects cover technical issues such as maintenance, portability, and upgradeability of IDSs. Social aspects are related to ethical and legal issues of deploying IDSs (Lundin and Jonsson, 2002). Operational and social aspects are excluded due to their irrelevance in this study.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128015384000045
Intrusion Response Systems: A Survey
Bingrui Foo, ... Eugene H. Spafford, in Information Assurance, 2008
Design Approach
Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD) developed an architecture that inherits well-developed analytical techniques for detecting intrusions and cast them in a framework that is highly reusable, interoperable, and scalable in large network infrastructures [8, 31]. Its primary goal is not to perform automated intrusion response. However, its modular structure and tools can enable effective response mechanisms.
The primary entity within EMERALD is the monitor, with multiple monitors deployed within each administrative domain. The monitors may interact with the environment passively (reading activity logs or network packets) or actively (via probing that supplements normal event gathering). The monitors may interact with one another. An EMERALD monitor has a well-defined interface for sending and receiving event data and analytical results from third-party security services. An EMERALD monitor is capable of performing both signature analysis and statistical profile-based anomaly detection on a target event stream. The work on these components represent state-of-the-art development in the intrusion detection literature within each domain. In addition, each monitor includes an instance of the EMERALD resolver, a countermeasure decision engine capable of fusing the alerts from its associated analysis engines and invoking response handlers to counter malicious activity.
A feature that makes EMERALD well suited to intrusion response in a distributed environment is its capability for alert aggregation. This is achieved through a tiered arrangement of monitors and exchange of CIDF-based [32] alert information. Thus, resolvers are able to request and receive intrusion reports from other resolvers at lower layers of the analysis hierarchy, enabling the monitoring and response to global malicious activity. Each resolver is capable of invoking real-time countermeasures in response to malicious or anomalous activity reports produced by the analysis engines. The countermeasures are defined in a field specific to the resource object corresponding to the resource in which the monitor is deployed. Included with each valid response method are evaluation metrics for determining the circumstances under which the method should be dispatched. These criteria are the confidence of the analysis engine that the attack is real and the severity of the attack. The resolver combines the metrics to formulate its monitor's response policy.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B978012373566950015X
Detecting System Intrusions
Scott R. Ellis, in Computer and Information Security Handbook (Third Edition), 2017
The Favored Operating System: Linux
The general preference in the security community is to conduct business from Linux. It is a powerful tool and is believed to be far superior in terms of security compared with any other. Detecting intrusions, that is, the process of monitoring for, tracking down, and investigating a breach, will require the investigator to be more secure than the intruder.
There are many flavors of Linux. SO is built on Ubuntu. If you wanted to, you could build out a deployment of SO “from scratch.” Doing so is a more advanced task and will not be covered in this chapter.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128038437000053
Denial of Service
Stacy Prowell, ... Mike Borkin, in Seven Deadliest Network Attacks, 2010
IDS/IPS Systems
IDS observes traffic on a port and attempts to match it against known patterns corresponding to malware, port scanning, or DDoS attacks. A well-known open-source IDS is Snort.Y Figure 1.4 shows the ACID Web interface to the Snort database. When Snort matches a pattern, it triggers an alert and can notify system administrators immediately. Additionally, it captures and logs traffic, which can help determine precisely what is happening.
FIGURE 1.4. Displaying Intrusion Detection Data with ACID
EasyIDS is built around Snort and a few other tools, and packaged as a Linux distribution based on CentOS. It is installed on a single dedicated machine with two network interface cards (one facing the Internet, one facing your local network) to protect a network. This simplifies the installation, configuration, and maintenance of a network IDS (NIDS).
Bro is another open-source IDS.Z Bro relies heavily on protocol analysis to detect abnormal traffic, while Snort relies on a simple signature-based matching. Both Bro and Snort can be used together, as they are complementary and they have the capability to execute actions when they detect an event of interest. For example, if your IDS detects that a host is scanning ports on your machine, it might write a rule to your firewall or router to block the scanning host's address. The use of an IDS to actively respond to intrusion attempts and block them transforms this system into one known as an intrusion prevention system (IPS).
Another strategy for detecting intrusion attempts is to create a honeypot. A honeypot is a carefully monitored machine or address that is used only to detect attacks. Normal, legitimate traffic is never directed to the honeypot machine, so any traffic that is detected at the honeypot is likely malicious traffic. Thus, by monitoring the honeypot, an IDS can detect when a network intrusion is being attempted. A simple example of a honeypot is an e-mail address created for the sole purpose of collecting spam. Since the e-mail address does not go to any legitimate recipient, any e-mail that arrives at the address is spam, and should be filtered from the rest of the e-mail. Project Honey Pot uses exactly this technique to monitor spammers.AA
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597495493000018
Intrusion Detection in Contemporary Environments
Tarfa Hamed, ... Stefan C. Kremer, in Computer and Information Security Handbook (Third Edition), 2017
Distributed Intrusion Detection System
A distributed IDS for cloud computing systems is based on deploying IDSs over the network to inspect the traffic for intrusive behavior. Each of these IDSs consists of two components: a detection component and a correlation manager. The detection component is responsible for inspecting the system's behavior and sending the collected data after representing them in a standard format to the correlation manager. The correlation manager, in turn, gathers data from various IDSs and produces high-level alerts that stimulate a reaction to the attack. The analysis phase can use anomaly-based and signature-based detection techniques to respond to known and unknown attacks.
Modi [24] proposed a distributed IDS for cloud computing. The framework was based on installing network IDSs on each host machine of the cloud to monitor virtual network traffic with the goal of detecting intrusions. The proposed framework consisted of six components: packet capture, signature detection, network traffic profile generation, anomaly detection, severity calculation, and an alert system. Packet capture is responsible for capturing network traffic and for communication between VMs and between VMs and the host machine for intrusion inspection. The signature detection is used to detect known attacks from real-time captured network traffic data and filter out any intrusive connection. The third component, network traffic profile generation, makes network profiles by extracting some useful network features. It also extracts the virtual local area network (VLAN) ID to identify the VLAN number from where the attacking VM is running. The generated profile is sent to the anomaly detection component, which uses an associative classifier to predict a class label (either normal or intrusion) with all of the received profiles. This classifier is useful for detecting unknown attacks in the network. In case an intrusion is detected, an alert is sent to the severity calculation module, which is responsible for identifying distributed attacks from detected intrusions by checking intrusion alerts in the central log server, where intrusion alerts are stored. The last component is the alert system, where alert messages of intrusions are produced. The system stores alert information about each detected intrusion in the network traffic profile log for further learning about the associative classifier.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128038437000065
Environment friendly green data broadcasting in delay-tolerant opportunistic networks☆
Sanjay K. Dhurandher, ... Tarun Dhankhar, in Advances in Delay-Tolerant Networks (DTNs) (Second Edition), 2021
7.2.2 Energy efficiency issues related to security in OppNets
One of the areas in a network where energy is extensively utilized is managing its security and privacy. A large amount of energy is spent in recognizing the attackers and in employing the mechanisms in countering the attacks or recovering from them. One of the primary reasons for threats related to privacy and security in OppNets is that even if hard security drills are performed before including a device in the network, this would not help in excluding the malicious devices. In an OppNet, two ways of defense should be employed: (1) a preventive mechanism – for instance, blocking the harmful devices and (2) a reactive mechanism – by implementing a strategy for detecting the harmful devices.
An OppNet faces various challenges when it comes to security and privacy. These challenges include: providing a secure routing mechanism, ensuring the privacy of the network, detecting intrusions, dealing with specifically dangerous attacks, maintaining privacy of data and ensuring its integrity, and authenticating the nodes, helpers, honeypots, and honey farms.
There are various hard and soft mechanisms that have been employed for maintaining the security and privacy of OppNets (Zou et al., 2013). Sending multiple copies of a message guarantees that at least one copy will reach the target node successfully. This technique, however, leads to high-energy utilization due to redundancy and duplication. In doing so, it must be ensured that no packet is dropped to avoid reduced efficiency. Also, there must be a limit on the number of times that a device can request for help so as to not pay heed to multiple false alarms. Another solution consists of utilizing tags on packets with signal prints and matching rules in order to detect denial of service attacks using MAC addresses. One can also reduce the load on each node in order to save the energy and maintain the network connectivity. Also, all nodes can monitor the nodes adjacent to them for ID spoofing. Furthermore, some protocols can be used for the validation of the source address. The techniques employed for maintaining the security and privacy of networks are varied. However, it is often suggested to employ soft mechanisms since they tend to utilize less energy. On the other hand, hard security mechanisms require larger amounts of energy, but they offer a much better security. Hence, there is a trade-off between energy efficiency and the reliability of the security mechanism in a network.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780081027936000072
Advances in Self-Security of Agent-Based Intrusion Detection Systems
Falkner Moraes, ... Ariel Teles, in Emerging Trends in ICT Security, 2014
Overview
This section describes the concepts related to multi-agent systems, agent-based IDS, IDS-NIDIA, and MOM (Message-Oriented Middleware).
A software agent is an autonomous entity that can interact with its environment. Software agents are implemented through software and can react with other entities such as humans, machines, and other agents in various environments, across multiple platforms. They are applicable in various ways, for example, in teaching-learning, industry, simulation, virtual reality, services, and computer networks [3,4,6]. Multi-agent systems consist of multiple agents that interact and work together to achieve a particular set of tasks or goals.
An IDS is a system able to monitor a network traffic searching suspicious activities by issuing a warning to the system or the network administrator. It previews all activities within and outside the network, identifying suspicious patterns that might indicate an attack by an intruder trying to break or compromise a system [2]. The use of agents in IDS software design provides the introduction of agent technologies characteristics. An agent-based IDS is a set of autonomous components working together in cooperation. Since the attacks change dynamically, the signatures also change. Therefore, these agents have the ability to learn new signatures or detect abnormal traffic caused by new attacks. Among major projects of agent-based IDSs are CAMNEP (an intrusion detection system for high-speed networks) [2], CIDS (Cougaar-Based Intrusion Detection System) [3], MIDS (Multi-Level and Multi-Agent Intrusion Detection System) [4], IDS-NIDIA [1], and others [7,8].
IDS-NIDIA [1] aims to present a system model for detecting intrusion in real time based on an intelligent agent society capable of detecting new attacks by a neural network. IDS-NIDIA is inspired by the CIDF [9] logical model, having agents with the task of generating events (sensors agents), mechanisms for data analysis (monitoring and security evaluation agents), history storage mechanisms (databases), and a module for carrying out countermeasures (countermeasure agents).
The general objectives of IDS-NIDIA project are: generate rates of suspected attack through information analysis collected from host logs and network traffic, take countermeasures based on achieved rates, and learn from the information obtained upgrading their knowledge databases.
The IDS-NIDIA model [1] is based on detection by anomaly and abuse to ensure greater system robustness. This choice is made because the majority of attacks can be coded in order to capture and record variants of activities that exploit the same vulnerabilities. Figure 10.1 shows the IDS-NIDIA architecture. It consists of six layers, and each layer contains a set of activities. The activities are performed through a society of agent behaviors that compose the layer. It is also through these agents that the layers communicate with each other, exchanging information to perform different activities.
Figure 10.1. IDS-NIDIA architecture.
The Monitoring Layer is responsible for capturing the occurrence of events in logs and network traffic and provides the same data for the rest of the system. The System Monitoring Agents (SMA) are located in this layer and are divided into two categories: Network Sensor Agents (NSA), which capture packets of the network, and Host Sensor Agents (HSA), which collect information from a host and provide them for examination.
The Analysis Layer has the task of examining the received events from the Monitoring Layer. In this layer, the events are collected and formatted in order to identify real attack patterns. The following knowledge databases are used as part of the analysis: the Intruder and Intrusion Pattern Database (IIDB), the Incident Damage Assessment and Forensic Database (DFDB), and the Strategies Database (STDB). In this layer, the System Evaluation Agents (SEA) analyze and provide a suspicion degree about the events that were previously formatted.
The Reaction Layer is responsible for taking countermeasures if a security incident is confirmed. In this layer, the System Controller Agents (SCA) carry out countermeasures in accordance with the Strategies (STDB) and Actions (RADB) databases.
The Update Layer is responsible for maintaining updates to all databases. In this layer, System Update Agents (SUA) have the responsibility to maintain the integrity and consistency of information stored and are the only ones able to change these databases.
The Administration Layer is composed of the Main Controller Agents (MCA), which are responsible for the administration and integrity of all system agents.
The Storage Layer keeps persistent information for all layers. All of the databases used by the IDS-NIDIA are contained here.
Among security problems encountered in the IDS-NIDIA, the ones that stand out are: open access to IDS resources, for example, the access to the key provider (XMKS server) is not controlled; lack of a validity control system for keys used in the encoding communication messages; no guarantee of message delivery between the agents if a receiver agent fails; and lack of a protection mechanism of information configuration necessary to promote the communication and configuration of the system. Our proposed framework fills these gaps in IDS-NIDIA.
MOM (Message-Oriented Middleware) [10] can be seen as a natural extension of the communication paradigms in the lower layers of the OSI model. Unlike the RPC (Remote Procedure Call) and the OOM (Object-Oriented Model), the MOM is a form of asynchronous communication; that is, there is non-blocking waiting from the sender to the receiver during message exchange. If the messaging service offers persistence and reliability, then the receiver does not need to be active and running when the message is sent. The messages are generally not typed, and their internal structures are the application’s responsibility. Some MOM examples that stand out include IBM’s WebSphere MQ [11], the TIBCO Rendezvous [12], and the messaging provider OpenJMS of Sun Microsystems [13].
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780124114746000104
Flow-based intrusion detection: Techniques and challenges
Muhammad Fahad Umer, ... Yaxin Bi, in Computers & Security, 2017
Abstract
Flow-based intrusion detection is an innovative way of detecting intrusions in high-speed networks. Flow-based intrusion detection only inspects the packet header and does not analyze the packet payload. This paper provides a comprehensive survey of current state of the art in flow-based intrusion detection. It also describes the available flow-based datasets used for evaluation of flow-based intrusion detection systems. The paper proposes a taxonomy for flow-based intrusion detection systems on the basis of the technique used for detection of maliciousness in flow records. We review the architecture and evaluation results of available flow-based intrusion detection systems. We also identify important research challenges for future research in the area of flow-based intrusion detection.
Read full article
URL: //www.sciencedirect.com/science/article/pii/S0167404817301165